Published:2022/07/20  Last Updated:2022/07/21

JVN#20573662
Multiple vulnerabilities in Cybozu Office

Overview

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities.

Products Affected

  • Cybozu Office 10.0.0 to 10.8.5

Description

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

  • [CyVDB-839][CyVDB-2300][CyVDB-3109] Browse restriction bypass vulnerability in Cabinet (CWE-284) - CVE-2022-32283
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • [CyVDB-1795] Operation restriction bypass vulnerability in Project (CWE-285) - CVE-2022-32544
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
  • [CyVDB-1800][CyVDB-2798][CyVDB-2927] Browse restriction bypass vulnerability in Custom App (CWE-284) - CVE-2022-29891
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • [CyVDB-1849] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-33151
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • [CyVDB-1851][CyVDB-1856][CyVDB-1873][CyVDB-1944][CyVDB-2173] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-28715
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • [CyVDB-1859] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-30604
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • [CyVDB-2030] HTTP header injection vulnerability (CWE-113) - CVE-2022-32453
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • [CyVDB-2152][CyVDB-2153][CyVDB-2154][CyVDB-2155] Information disclosure vulnerability in the system configuration (CWE-200) - CVE-2022-30693
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0
  • [CyVDB-2693] Operation restriction bypass vulnerability in Scheduler (CWE-285) - CVE-2022-32583
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0
  • [CyVDB-2695][CyVDB-2819] Browse restriction bypass vulnerability in Scheduler (CWE-284) - CVE-2022-25986
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • [CyVDB-2770] Browse restriction bypass vulnerability in Address Book (CWE-284) - CVE-2022-33311
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:N/A:N Base Score: 4.0
  • [CyVDB-2939] Cross-site scripting vulnerability in the specific parameters (CWE-79) - CVE-2022-29487
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

  • [CyVDB-839], [CyVDB-2300], [CyVDB-3109]:
    A user who can log in to the product may obtain the data of Cabinet.
  • [CyVDB-1795]:
    A user who can log in to the product may alter the data of Project.
  • [CyVDB-1800], [CyVDB-2798], [CyVDB-2927]:
    A user who can log in to the product may obtain the data of Custom App.
  • [CyVDB-1849], [CyVDB-1851], [CyVDB-1856], [CyVDB-1859], [CyVDB-1873], [CyVDB-1944], [CyVDB-2173], [CyVDB-2939]:
    An arbitrary script may be executed on a logged-in user's web browser.
  • [CyVDB-2030]:
    A remote attacker may obtain and/or alter the data of the product.
  • [CyVDB-2152], [CyVDB-2153], [CyVDB-2154], [CyVDB-2155]:
    A remote attacker may obtain the data of the product.
  • [CyVDB-2693]:
    A user who can log in to the product may alter the data of Scheduler.
  • [CyVDB-2695], [CyVDB-2819]:
    A user who can log in to the product may obtain the data of Scheduler.
  • [CyVDB-2770]:
    A user who can log in to the product may obtain the data of Address Book.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
Cybozu, Inc. Vulnerable 2022/07/20 Cybozu, Inc. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2022-28715, CVE-2022-30604, CVE-2022-32453, CVE-2022-33151
Masato Kinugawa reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2022-29891, CVE-2022-32544, CVE-2022-32583
Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2022-30693
Kanta Nishitani of Ierae Security Inc. reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-29487, CVE-2022-25986, CVE-2022-32283, CVE-2022-33311
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

Update History

2022/07/21
Information under the section [Description] was fixed.